package com.example.fp.zlz.config;

import com.example.fp.zlz.util.MyExpiredSessionStrategy;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.security.web.session.SessionInformationExpiredStrategy;
import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy;

import javax.annotation.Resource;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

	@Resource
	private SessionRegistry sessionRegistry;

	@Autowired
	private AuthenticationProvider provider;
	@Autowired
	private AuthenticationSuccessHandler myAuthenticationSuccessHandler;
	@Autowired
	private AuthenticationFailureHandler myAuthenticationFailHander;

	@Override
	protected void configure(HttpSecurity httpSecurity) throws Exception {
		//配置信息
		httpSecurity
				.formLogin().loginPage("/login").loginProcessingUrl("/login/form").failureUrl("/loginfail")
				.successHandler(myAuthenticationSuccessHandler)
				.failureHandler(myAuthenticationFailHander)
				.permitAll()
				.and()
				.authorizeRequests()
				.antMatchers("/register","/insertadmin","/logout","/logoutsession").permitAll().anyRequest().authenticated()
				.and()
				.csrf().disable();
		httpSecurity
				.logout()
				.logoutUrl("/logout")
                .permitAll()
				.logoutSuccessUrl("/login")
				.invalidateHttpSession(true)
				.deleteCookies("JSESSIONID")
				.and()
				.csrf().disable();
		httpSecurity
				.sessionManagement()
				.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
				.invalidSessionUrl("/invalidsession")
				.maximumSessions(1)
				.sessionRegistry(sessionRegistry)
				.expiredSessionStrategy(new MyExpiredSessionStrategy())
				.expiredUrl("/login");

		httpSecurity.headers().frameOptions().disable();

	}

	@Override
	public void configure(WebSecurity web) throws Exception {
		//解决静态资源被拦截的问题
		web.ignoring().antMatchers("/command/**");
		web.ignoring().antMatchers("/css/**");
		web.ignoring().antMatchers("/assets/**");
		web.ignoring().antMatchers("/font/**");
		web.ignoring().antMatchers("/images/**");
		web.ignoring().antMatchers("/js/**");
		web.ignoring().antMatchers("/lib/**");
		web.ignoring().antMatchers("/backgrounds/**");
	}
	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception{
		auth.authenticationProvider(provider);
	}

	private SessionInformationExpiredStrategy sessionInformationExpiredStrategy() {
		return new SimpleRedirectSessionInformationExpiredStrategy("/login.html");
	}

	@Bean
	public SessionRegistry sessionRegistry() {
		return new SessionRegistryImpl();
	}

	//SpringSecurity内置的session监听器
	@Bean
	public HttpSessionEventPublisher httpSessionEventPublisher() {
		return new HttpSessionEventPublisher();
	}



}
